In the rapidly evolving world of cybersecurity, especially in industrial Internet-of-Things (IIoT) environments, traditional analysis techniques don’t always deliver the insights researchers need. Recently, a researcher from Cisco Talos unveiled a novel approach designed to work around limitations in hardware debugging—an approach aptly named “good enough” emulation. Rather than aiming to perfectly recreate an entire device’s behavior in software, this strategy focuses on emulating only the most critical portion of the system needed to uncover hidden flaws.

Targeting What Matters: The Socomec M-70 Gateway

The subject of this research was the Socomec DIRIS M-70 gateway, an IIoT device widely used for energy monitoring and communication across industrial networks. It supports multiple protocols such as Modbus RTU/TCP, BACnet, and SNMP—making it a central communications hub in settings ranging from data centers to healthcare facilities and critical infrastructure.

Given this broad attack surface, any security flaw in the gateway could have serious consequences, including service disruption or even manipulation of industrial operations. Unfortunately, physical debugging of the M-70’s code proved tougher than expected due to hardware protections that prevented reading its internal firmware directly.

The Debugging Challenge

Debuggers usually need unfettered access to a device’s memory and execution state, but the M-70’s microcontroller used a feature called Code Read-Out Protection (RDP). This setting blocks attempts to extract or step through code on the device via standard hardware interfaces like JTAG. With this wall in place, the researcher pivoted toward a software-based alternative: emulation.

Rather than investing significant time in building a full system emulator that mimics every device function, the researcher chose to emulate just the critical thread within the gateway’s firmware—the one responsible for processing Modbus protocol messages. This was a deliberate trade-off: emulate less, but focus on the code that truly matters. Hence the term “good enough.”

Tools of the Trade: Emulation and Fuzzing

To carry out this targeted emulation, the team used the Unicorn Engine, a CPU emulation framework that can run specific code segments in a controlled environment. This allowed the Modbus thread’s logic to execute in software, isolated from the rest of the system.

Once the code was emulated, the next step was to stress it with a technique known as fuzzing. In essence, fuzzing involves feeding a program thousands—sometimes millions—of random or malformed inputs to trigger unexpected behavior and crashes. The integration between Unicorn and the American Fuzzy Lop (AFL) fuzzing tool enabled automated, coverage-guided testing that explored many different execution paths within the Modbus logic.

To assist in debug and analysis when crashes occurred, additional tooling, such as the Qiling framework, was used to help visualize how code was executed and pinpoint the root cause of issues.

Results: Uncovering Real Vulnerabilities

Although this “good enough” strategy might seem less rigorous than full system emulation, it proved powerful in practice. The fuzzing campaign revealed six distinct vulnerabilities in the Modbus handling code—each leading to possible denial-of-service conditions. These security flaws were responsibly reported under Cisco’s coordinated disclosure policy and have since been addressed by the device manufacturer.

Why “Good Enough” Works

This research highlights an important principle in security testing: sometimes, perfection isn’t necessary to be effective. By focusing on a specific execution thread rather than the entire environment, researchers achieved deep insights into a target’s weakest points without getting bogged down in peripheral complexity. Not only did this reduce the overall time investment compared to building a complete emulator, it also yielded actionable results.

In an era where IIoT devices are deeply embedded in essential services, and where hardware protections can limit traditional analysis, approaches like “good enough” emulation demonstrate how creativity and selectivity in tooling can lead to meaningful discoveries—and ultimately, better security for critical systems.